Description

Recertification campaigns are typically executed for groups of users based on predefined scopes. While this works well for periodic access reviews, there are scenarios where organizations need to perform a targeted access recertification for a single user.

This is particularly relevant during identity lifecycle events such as when a user changes role, department, or manager. In these situations, it is important to verify whether the user’s currently assigned products and access rights are still appropriate for their new position.

Currently, administrators must wait for the next recertification campaign or create a broader campaign scope to review the access of a single user. This can make it difficult to respond quickly to organizational changes and maintain a least privilege access model.

Requested Enhancement

Introduce the ability to start an access recertification process for an individual user. This should allow administrators to trigger a recertification manually, through the HelloID API, or automatically based on identity lifecycle changes such as manager, job title, role, or department changes. Once triggered, the assigned reviewer should be able to review and either approve or revoke the user’s currently assigned products and access rights.

Use Case / User Story

As an administrator, I want to trigger an access recertification for a specific user when their identity attributes change, such as their department, role, or manager, so that the responsible reviewer can verify whether the assigned products and permissions are still appropriate.

Business Value

This improvement supports least privilege access principles, enables access reviews based on identity lifecycle events, reduces the risk of users retaining unnecessary access after role changes, improves identity governance visibility, and allows organizations to perform targeted access reviews without running full recertification campaigns.